Peter, On 11/10/23 13:27, Peter Otto wrote:
Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current Steps to reproduce.Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 tomcat:UserDatabase:nobueno tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0 Step 2. Use the digest # and place it in tomcat-users.xml <role rolename="manager-script"/> <role rolename="manager-gui"/> <user username="tomcat" password="bb6c1c32b9b6df4f707c0e58f2c900e0" roles="manager-gui,manager-script"/> Step 3. Edit server.xml and add the CredentialHandler to use MD5 <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" /> </Realm> </Realm> Step 4. Edit the web.xml in manager to say <login-config> <auth-method>DIGEST</auth-method> <realm-name>UserDatabase</realm-name> </login-config> Step 5 start tomcat and try to access the manager. On WIndows 2019 server/Chrome/OpenJDK11 type tomcat for the user and nobueno for the password. This would work on versions 9.0.73 and earlier This stopped working from 9.0.74 and onwards. The way to access the manager from 9.0.74+ is to use bb6c1c32b9b6df4f707c0e58f2c900e0 as the password. In other words the text in tomcat-user.xml is the password. Anyone have any ideas how to fix this? I have to use 9.0.74+ version of tomcat because of CVEs.
If you temporarily remove the LockOutRealm, does the correct password work? If you upgrade to 9.0.82, does the correct password work? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
